Re: ZoneAlarm remote Denial Of Service exploit
In-Reply-To: <20030902145734.2258.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
ZONE LABS SECURITY ADVISORY
DENIAL OF SERVICE REPORT
OVERVIEW
Zone Labs has found no evidence that, under real-world conditions, its
products are vulnerable to the Denial of Service attack described by
HackologyTeam@xxxxxxxxx at the BugTraq site and mailing list. There is
also no evidence that Zone Labs products are vulnerable to the similar
attack described by sprog@xxxxxxxxx in the follow-up post to BugTraq.
Date Published: September 3, 2003
EFFECT ON ZONE LABS USERS
Little or none.
ZONE LABS PRODUCTS
Zone Labs tests do not show that computers employing Zone Labs Integrity?,
ZoneAlarm® Pro, ZoneAlarm Plus, and ZoneAlarm security products are
vulnerable to this attack in real-world situations.
DESCRIPTION
This Denial of Service (DoS) attempt sends a barrage of UDP packets to a
PC protected with ZoneAlarm 3.7 or ZoneAlarm Pro 4.0. The vulnerability
reporter claims that this packet flood causes the target PC to hang. Zone
Labs' testing did NOT show this under real-world conditions (described
below). In the vulnerability report, the attacker included the Perl script
to launch the attack. Other important information, such as type of PC and
connection speed, was not specified.
IMPACT
Because the initial report lacked important information, Zone Labs tested
the Perl script on multiple PCs with a variety of network speeds. We were
unable to replicate the results the testers claim. We noted the following
results:
1) While we have seen a somewhat higher CPU usage and related slow-down on
the target machine, we have not seen anything resembling a DoS attack. The
largest slowdown occurred on a direct computer-to-computer 100-MBit
network. Even in that setup, we never observed a complete freeze under any
conditions. (Nor were other methods of UDP flooding effective.) For a
real-world DoS attack to succeed, it would need to be effective at much
slower connection speeds more typical for Internet connections (for
example, 1.5-MBit for a T1 or DSL connection).
2) Zone Labs Integrity, ZoneAlarm, ZoneAlarm Plus, and ZoneAlarm Pro were
not disabled as a result of the attacks, and the security of the test
machines was never compromised by the attempted DoS attack. Once the
attempted attacks stopped, the CPU usage went down to normal levels
immediately.
RECOMMENDED ACTIONS
Install any Zone Labs product to protect against UDP-flood attacks. Zone
Labs' tests did not show a Denial of Service result. We will be addressing
the relatively minor performance issues in upcoming releases. Note that in
the typical definition of a Denial of Service attack, the target is a
server PC (whose service is thus denied). ZoneAlarm, ZoneAlarm Plus, and
ZoneAlarm Pro are not designed to protect server platforms. The following
supported platform list applies to Zone Labs products:
http://www.zonelabs.com/store/content/support/znalmGeneralFAQ.jsp#9general
RELATED RESOURCES
BugTraq posting: http://www.securityfocus.com/archive/1/335830/2003-08-
30/2003-09-05/0
CREDITS
This report first appeared on the BugTraq vulnerability list. Zone Labs
adheres to the vulnerability disclosure guidelines found at
http://www.wiretrip.net/rfp/policy.html. These guidelines specify
informing a vendor before public disclosure of a possible vulnerability,
so a security fix may be created to protect users before malicious
software takes advantage of the exploit. We encourage all vulnerability
reporters to follow the same procedure. To report a vulnerability, please
send an email to security@xxxxxxxxxxxxx
CONTACT
Zone Labs customers who are concerned about this issue or have additional
technical questions may reach our Technical Support group at:
http://www.zonelabs.com/store/content/support/support.jsp.
COPYRIGHT (c) 2003 by Zone Labs Incorporated
Permission to redistribute this alert electronically is granted as long as
it is not edited in any way unless authorized by Zone Labs. Reprinting the
whole or part of this alert in any medium other than electronically
requires permission from Zone Labs.
>
>
>
># Overview :
>#
># ZoneAlarm is a firewall software
># package designed for Microsoft Windows
># operating systems that blocks intrusion
># attempts, trusted by millions, and has
># advanced privacy features like worms,
># Trojan horses, and spyware protection.
># ZoneAlarm is distributed and maintained
># by Zone Labs.http://www.zonelabs.com
>#
># Details :
>#
># ZoneAlarm was found vulnerable to a
># serious vulnerability leading to a
># remote Denial Of Service condition due
># to failure to handle udp random
># packets, if an attacker sends multiple
># udp packets to multiple ports 0-65000,
># the machine will hang up until the
># attacker stop flooding.